Turning existing accounts into mobile accounts

[Lauwie]

I've searched the entire internet for more help on this but can't find any useful info so I hope someone can help me here

So I've got my entire server up and running without any hiccups.
So I made my local users, local network users, this works perfectly to, if they enter their name and password on the Server (an iMac) they can log in and use access all their files without any problems.
But if they login into another computer (with mobility enabled via profile manager), it just creates a local home folder on that computer without any of the files available that are available when they log in via the server.
Also when I try manual sync it gives the error message "Can't write to home folder".

Hope someone can help me with this

 

[Alrescha]

Also when I try manual sync it gives the error message "Can't write to home folder".

You might start by making sure that the volume containing the home folders is shared and accessible by those remote computers. As an example, you should be able to use 'Connect to Server' in Finder and remotely mount a user's home folder (with appropriate authentication).

A.

 

[Lauwie]

You might start by making sure that the volume containing the home folders is shared and accessible by those remote computers. As an example, you should be able to use 'Connect to Server' in Finder and remotely mount a user's home folder (with appropriate authentication).

A.

Any tips on this?
It doesn't work when I try even with a newly created home mobile account.
Do I need to move the User folders to another location instead of /Users/ or use a terminal command

Thanks for your response

 

[ElectronGuru]

Local Users are local machine only

Local Network Users are what you want

I believe you can't create LNU until open directory is turned on and it may not be possible to covert LU into LNU after the fact.

Best to pick one of the manuals from iBooks.

 

[Lauwie]

Local Users are local machine only

Local Network Users are what you want

I believe you can't create LNU until open directory is turned on and it may not be possible to covert LU into LNU after the fact.

Best to pick one of the manuals from iBooks.

Open Directory and profile manager are already turned on

 

[micahrobichaux]

First off, when working with network users, make sure that you are authenticated to Workgroup Manager using the Directory Administrator's account (the account that you set up when creating Open Directory). You will also want to make sure that the current working directory is not local but LDAP. Seeing as the Directory Server is also part of the Open Directory Domain, users created in the LDAP directory (should be labeled something like LDAPv3/127.0.0.1) will also be able to log into the server.

You will need to make sure that in Workgroup Manager, under the Home tab (for the specific users), you have entered the network share path of the home folder (ex. if the share is the users folder, then the path should be "afp://your-servers-host-name/Users/").

Under the Sharing tab in Workgroup Manager, you will want to make sure that the users folder is listed in there as a Share. In the share settings, under general you should have both "share this item and its contents" and "enable Access Control Lists on this Volume" checked. Under Protocols, you will need to make sure that AFP sharing is enabled (The "share this item using AFP" option is checked) and you will want to do the same for SMB (if you are planning on having Windows computers on your domain as well). Under Network Mount, you will want to make SURE that "Enable network mounting of this share point" is checked, and that the "Where" section is set to point to the LDAPv3 Directory. Under "protocol" set it to "AFP" and under "Use For" set it to "User Home Directories".

That should get you going, or at least give you more of a jump start .

 

[micahrobichaux]

As far as mobility goes, that is just a simple setup in the preferences tab of Workgroup Manager. Choose your user, and then click on Mobility in the Preferences section. Configure your Mobility settings (it's pretty straight forward) and you should be rock and roll! The one thing to remember is that typically with Mobility accounts, because they are intended for use on Offsite or Portable computers (computers that will not ALWAYS be able to contact the Directory Master [or any slaves]), the data for the users home folder is not just saved to the server. If you enable Mobility it will configure the account settings so that when users log into computers other than the server, it will give them the option to create a "mirrored" home directory copy on the local workstation. It then saves all of the data that users save in their home folder to the local machine, and on a schedule, syncs it to the server and other workstations that the user has logged into.

There are some instances where this is actually extremely useful, even if not using for offsite or portable systems. This works great if you a very pegged out network, and you really can't have 5-10 [or however many] computers reading/writing data constantly to and from the server. By enabling mobility (provided that your workstations have the hard drive space for this [which can turn out to be a lot of disk space when it's all over with]) you can set it up to only sync once a day, and that way your performance is not limited by network speed. You set it up to sync after closing or when the machines will not be used, and you never notice any performance decreases.

Another advantage (again, provided that you have adequate hard disk space), is that you end up with two/multiple copies of your users data, so if anything happens to either the server, or the workstation(s) that the user is using, you can use one of the other copies of the data to recover from, simply by unplugging the computer from the network before the user signs into it next, so that it doesn't get the signal from the server to delete the file (since you deleted on a different networked machine).

 

[Lauwie]

First off, when working with network users, make sure that you are authenticated to Workgroup Manager using the Directory Administrator's account (the account that you set up when creating Open Directory). You will also want to make sure that the current working directory is not local but LDAP. Seeing as the Directory Server is also part of the Open Directory Domain, users created in the LDAP directory (should be labeled something like LDAPv3/127.0.0.1) will also be able to log into the server.

You will need to make sure that in Workgroup Manager, under the Home tab (for the specific users), you have entered the network share path of the home folder (ex. if the share is the users folder, then the path should be "afp://your-servers-host-name/Users/").

Under the Sharing tab in Workgroup Manager, you will want to make sure that the users folder is listed in there as a Share. In the share settings, under general you should have both "share this item and its contents" and "enable Access Control Lists on this Volume" checked. Under Protocols, you will need to make sure that AFP sharing is enabled (The "share this item using AFP" option is checked) and you will want to do the same for SMB (if you are planning on having Windows computers on your domain as well). Under Network Mount, you will want to make SURE that "Enable network mounting of this share point" is checked, and that the "Where" section is set to point to the LDAPv3 Directory. Under "protocol" set it to "AFP" and under "Use For" set it to "User Home Directories".

That should get you going, or at least give you more of a jump start .

Hey!

Thanks a lot for the answer! I've shared the user folder via the Server app (Can't find sharing in workgroup manager) and from there I also enabled AFP and SMB (I've added a screenshot of the settings I've enabled)

But now if I create a new user i get this error message "existing connection is not authenticated: password change denied"
And this while the server is a clean install :/

So glad you can help out btw

 

[micahrobichaux]

Exactly what version of OS X Server are you using (10.x)?

 

[Lauwie]

Exactly what version of OS X Server are you using (10.x)?

Mavericks 3.0.2

 

[micahrobichaux]

Have you ran all of the updates for Mavericks server? I have had some problems with a lot of the AFP and SMB services with Mavericks, and personally if the server doesn't already have a lot of configuration time into it, I would recommend downgrading to Lion or Mountain Lion, and waiting until Apple fixes more of the Bugs with Mavericks. MAKE PERFECTLY SURE THAT YOU ARE AUTHENTICATED TO THE LDAPv3/127.0.0.1 Directory in Workgroup Manager (kinda sounds like that is what that error is relating to). Are you experiencing that error on the Server side, or on the Workstations?

-Micah

 

[Lauwie]

Have you ran all of the updates for Mavericks server? I have had some problems with a lot of the AFP and SMB services with Mavericks, and personally if the server doesn't already have a lot of configuration time into it, I would recommend downgrading to Lion or Mountain Lion, and waiting until Apple fixes more of the Bugs with Mavericks. MAKE PERFECTLY SURE THAT YOU ARE AUTHENTICATED TO THE LDAPv3/127.0.0.1 Directory in Workgroup Manager (kinda sounds like that is what that error is relating to). Are you experiencing that error on the Server side, or on the Workstations?

-Micah

-Yup all updates, including the separate VPN server.
-In workgroup manager I'm authenticated with the LDAPv3/127.0.1 account, gonna try to login to the server that way
-I'm having the error on all computers remotely managing the server including the server itself.

How would I do the downgrading

Thx for the help bro

 

[micahrobichaux]

Unfortunately the downgrade isn't an "option". To downgrade, you would have to have an install disc/key for a previous version of OS X server (which I'm assuming you probably have). If you wanted to keep your data, the best way would be to:

1. backup all data to an external data source (external drive, NAS, File Server, etc)
2. Boot the computer from the install disc (of a previous version of OS X [ex. 10.7, 10.8])
3. Open disk utility (under the utilities Menu)
4. Format the Drive
5. Install the OS off the disc
6. Migrate the Data Back
7. Reconfigure the server.

You can export accounts as well in Workgroup manager. You could export the accounts if you wish (that way you don't have to set them all back up), then re-import them when you are done. I don't know if I would recommend that though, because if you are already having problems, re-configuring it from scratch may help you notice something that you missed before).

I haven't really played around with Open Directory or Workgroup manager in Mavericks too much, seeing as my OD server is running a previous version of Apple Server (surprisingly 10.4). I did mess around with it a bit in 10.7 though, and I will be downgrading my Mavericks File server to 10.7 this evening as a matter of fact, as I am experiencing too may issues with Mavericks and I don't have the time to screw with them

 

[micahrobichaux]

When you are looking in Workgroup manager, and you select a user, Under the Basic tab, where it says Account summary, you should have the following (or something sort of similiar):

Location: your-servers-host-name-or-ip-address/LDAPv3/127.0.0.1
Home: afp://your-servers-host-name/home-share-name(probably Users)/user-name
Primary Group: whatever group you put the user in
Password: Open Directory

It is very essential that under the Home tab in Workgroup Manager, you have the users home folder pointed to an AFP share path (ex. afp://myopendirectoryserver.local/Users/). This path is exactly what is sent to the workstation when it is trying to decide where to read the home folder from. If this path just say something like "/Users/" then the workstation will think that it needs to put the home folder in it's local Users folder, not the Server Users folder.


ALSO: I have had much better luck using the host name of the server for home directories and Directory Binding than I have using the IP address. Don't know why, it just seems to work much better and smoother. If you have anything pointed to the IP address, I would recommend changing it to the Host name of the server. You can quickly find out you host name by typing "hostname" (minus the quotation marks) in the Terminal and hitting enter.

 

[Lauwie]

When you are looking in Workgroup manager, and you select a user, Under the Basic tab, where it says Account summary, you should have the following (or something sort of similiar):

Location: your-servers-host-name-or-ip-address/LDAPv3/127.0.0.1
Home: afp://your-servers-host-name/home-share-name(probably Users)/user-name
Primary Group: whatever group you put the user in
Password: Open Directory

It is very essential that under the Home tab in Workgroup Manager, you have the users home folder pointed to an AFP share path (ex. afp://myopendirectoryserver.local/Users/). This path is exactly what is sent to the workstation when it is trying to decide where to read the home folder from. If this path just say something like "/Users/" then the workstation will think that it needs to put the home folder in it's local Users folder, not the Server Users folder.


ALSO: I have had much better luck using the host name of the server for home directories and Directory Binding than I have using the IP address. Don't know why, it just seems to work much better and smoother. If you have anything pointed to the IP address, I would recommend changing it to the Host name of the server. You can quickly find out you host name by typing "hostname" (minus the quotation marks) in the Terminal and hitting enter.

Allright sad story then, so I'll just have to downgrade :/
What happend with the just works philosophy ?!

 

[micahrobichaux]

The 'Just Works' philosophy seemed to kind of die with Mavericks. As far as a workstation OS, I don't have a problem with Mavericks. When using Mavericks Server OS, I have seen tons of issues (VPN, AFP, SMB). I think that the last decent server OS was Lion (just a personal preference).

-Micah